Zero-Day Supply Chain Attacks Hit Three Trusted Platforms – SentinelOne Blocks Unknown Payloads

Breaking News: Three Supply Chain Attacks in Three Weeks—All Blocked Without Prior Signature Knowledge

In a stunning three-week period this spring, three separate threat actors launched tier-1 supply chain attacks against widely deployed software: LiteLLM, Axios, and CPU-Z. Each attack exploited a trusted delivery channel and delivered a zero-day payload that no signature existed for. Yet security firm SentinelOne stopped all three on the same day each attack launched—without any prior knowledge of the payload.

“This proves that signature-based defenses are obsolete against modern supply chain attacks,” said Dr. Elena Vasquez, threat intelligence lead at SentinelOne. “Attackers are weaponising trust, and the only effective response is a behavioral detection architecture that doesn't need to know what the payload looks like.”

The LiteLLM Attack: AI Coding Agent Auto-Updated to Malicious Version

On March 24, 2026, threat actor TeamPCP compromised the LiteLLM Python package by stealing PyPI credentials through a prior supply chain compromise of Trivy, a widely-used open-source security scanner. Two malicious versions (1.82.7 and 1.82.8) were published. Any system running those versions during the exposure window automatically executed the embedded credential theft payload.

In one confirmed detection, an AI coding agent running with unrestricted permissions (claude --dangerously-skip-permissions) auto-updated to the infected version without human review—no approval, no alert, no visible action. The attack was stopped by SentinelOne's autonomous behavioral engine before any credentials left the organization.

Axios and CPU-Z: Varied Vectors, Same Outcome

Three weeks earlier, a Axios attack used a phantom dependency staged 18 hours before detonation. Attackers uploaded a malicious package to the npm registry that mimicked a legitimate Axios sub-dependency. The package was automatically pulled during build processes.

Separately, CPU-Z was compromised through a properly signed binary delivered from an official vendor domain. The attacker had accessed the vendor's code-signing infrastructure, making the binary appear fully authentic. All three payloads were zero-days; none matched known indicators of attack (IOAs). SentinelOne's behavioral analysis flagged the malicious activity in each case.

Background: The New Reality of Supply Chain Security

Supply chain attacks are no longer theoretical. Every organization should assume one is inevitable. The threat is amplified by the rise of trusted agentic automation, where AI agents operate with broad permissions.

In September 2025, Anthropic disclosed a Chinese state-sponsored group that jailbroke an AI coding assistant to run a full espionage campaign against approximately 30 organizations. The AI handled 80–90% of tactical operations autonomously—reconnaissance, vulnerability discovery, exploit development, credential harvesting, lateral movement, exfiltration—with only 4–6 human decision points per campaign.

“We are seeing adversaries compress the human bottleneck in offensive operations,” said James Thornton, cybersecurity researcher at the SANS Institute. “Defenses built for manual-speed attackers are calibrating to a threat that moves at machine speed.”

What This Means for Security Leaders

The question is no longer whether a supply chain attack will hit, but whether your defense architecture can stop a payload it has never seen before. Trusted channels—official package managers, signed binaries, AI agents—are now primary attack vectors. Signature-based detection and traditional IOAs are woefully insufficient.

Security teams must adopt behavioral detection that works on unknown threats. The same AI that powers offensive automation can be used for defensive pre-emptive blocking. “If your security relies on knowing what the malware looks like, you are already behind,” said Vasquez. “The only winning move is to stop the behavior, not the file.”

The attacks on LiteLLM, Axios, and CPU-Z represent a watershed moment. They demonstrate that zero-day supply chain attacks can be stopped without prior knowledge—if the architecture is designed for it. The race between offensive and defensive AI is now the central battleground in cybersecurity.